firewall: don't crash the whole qubes-firewall service on DNS fail

If DNS resolution fails, just block the traffic (for this VM), but don't
crash the whole service.

Fixes QubesOS/qubes-issues#3277

qubesagent/firewall.py

@@ -248,8 +248,12 @@ class IptablesWorker(FirewallWorker):
             elif 'dst6' in rule:
                 dsthosts = [rule['dst6']]
             elif 'dsthost' in rule:
-                addrinfo = socket.getaddrinfo(rule['dsthost'], None,
-                    (socket.AF_INET6 if family == 6 else socket.AF_INET))
+                try:
+                    addrinfo = socket.getaddrinfo(rule['dsthost'], None,
+                        (socket.AF_INET6 if family == 6 else socket.AF_INET))
+                except socket.gaierror as e:
+                    raise RuleParseError('Failed to resolve {}: {}'.format(
+                        rule['dsthost'], str(e)))
                 dsthosts = set(item[4][0] + fullmask for item in addrinfo)
             else:
                 dsthosts = None
@@ -458,8 +462,12 @@ class NftablesWorker(FirewallWorker):
             elif 'dst6' in rule:
                 nft_rule += ' ip6 daddr {}'.format(rule['dst6'])
             elif 'dsthost' in rule:
-                addrinfo = socket.getaddrinfo(rule['dsthost'], None,
-                    (socket.AF_INET6 if family == 6 else socket.AF_INET))
+                try:
+                    addrinfo = socket.getaddrinfo(rule['dsthost'], None,
+                        (socket.AF_INET6 if family == 6 else socket.AF_INET))
+                except socket.gaierror as e:
+                    raise RuleParseError('Failed to resolve {}: {}'.format(
+                        rule['dsthost'], str(e)))
                 nft_rule += ' {} daddr {{ {} }}'.format(ip_match,
                     ', '.join(set(item[4][0] + fullmask for item in addrinfo)))